Create Filtering Firewall

In this example of a simple setup of a bridge firewall you see how a bridge can protect a server. The router of course, has both an external IP Address to the Internet and an internal address to the the 192.168.7.0/24 network. This means that the router is doing NAT, Network Address Translation. The bridge is given an IP Address to be able to configure remotely. Note that the two network interfaces do not have IP Addresses. If you look using ifconfig all you will see are MAC Addresses. However you will see that the bridge br0 will have the IP Address 192.168.7.3. A switch is placed between the bridge and the mail server to act as an additional layer of security. This would be especially true if you added workstations or additional servers to that switch.

In order to set this up create a file called rc.firewall and place it in the /etc directory. Make it executable with:

chmod 755 /etc/rc.firewall

Here is a sample script, modify and use at your own risk.

###############################################

#!/bin/bash# This script comes with no warranty ...use at own risk# Copyright (C) 2006 Mike Weber## This program is free software; you can redistribute it and/or modify# it under the terms of the GNU General Public License as published by# the Free Software Foundation; version 2 of the License.## This program is distributed in the hope that it will be useful,# but WITHOUT ANY WARRANTY; without even the implied warranty of# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the# GNU General Public License for more details.## You should have received a copy of the GNU General Public License# along with this program or from the site that you downloaded it# from; if not, write to the Free Software Foundation, Inc., 59 Temple# Place, Suite 330, Boston, MA 02111-1307 USA###########################################br0="192.168.7.3"GATEWAY_IP="192.168.7.2"LAN_NET="192.168.7.0/255.255.255.0"LAN_BROADCAST="192.168.7.255"CLASS_A="10.0.0.0/8"CLASS_B="172.16.0.0/12"CLASS_C="192.168.0.0/16"CLASS_D_MULTICAST="224.0.0/4"CLASS_E_RESERVED_NET="240.0.0/4"BROADCAST_SRC="O.O.O.0"BROADCAST_DEST="255.255.255.255"WEB="192.168.7.120"WEB2="192.168.7.122"WEB3="192.168.7.126"MAIL="192.168.7.123"ADMIN="192.168.7.119"############################################ Add protection from the kernelecho 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts